w3c / webauthn

Web Authentication: An API for accessing Public Key Credentials
https://w3c.github.io/webauthn/
Other
1.19k stars 178 forks source link

Advice on language to use? #1708

Closed ghost closed 2 years ago

ghost commented 2 years ago

(This is not an issue but a question for the community. Just not sure where else to ask it. Apologies if this is the wrong place!)

I'm using WebAuthn and unsure what language to use so the user understands what's happening. I'd love anyone's input!

Specifically, I'm using the user's email address as the display name and defaulting to platform authenticators. So, there are two steps, where step 1 is "Enter Your Email". But I'm unsure what to call step 2.

I started with "Complete Biometric", but the platform authenticator won't always be a biometric — sometimes it'll be a passcode, or pattern, or PIN, etc.

Then I tried the slightly more generic "Complete Biometric/Passcode Check", but that's a mouthful and still not totally accurate.

Then I tried to see if I could customize the language based on the platform (e.g. "Complete Face ID" on a certain iPhone, "Complete Touch ID" on a different iPhone, etc.), but there are issues with that:

Another issue with the generic "biometric" term is that it can sound somewhat scary. The term itself doesn't distinguish between a platform biometric like Face ID, which users find familiar, and a whole new biometric like a third party facial recognition system, which users often find quite invasive.

I suppose "Complete Platform Authenticator Check" is the most accurate... but I doubt many users would have any clue what that means.

So I'm at a loss for what language to use! Any ideas would be very welcome. :)

MasterKale commented 2 years ago

Then I tried to see if I could customize the language based on the platform (e.g. "Complete Face ID" on a certain iPhone, "Complete Touch ID" on a different iPhone, etc.)

This is what we at Duo do when presenting users with the option to use their available platform authenticator. We "brand" the platform authenticator option by looking at the user agent and intuiting the OS to then display specific names like "Touch ID", "Face ID / Touch ID", "Windows Hello"...

And when we can't identify the platform (or the platform doesn't have a special name, like Android biometric) we default to calling it "this device":

I personally think the "this device" labeling is fine for all platform authenticators. It's what I'd use on personal projects if I didn't want to go through the trouble of trying to maintain branding logic.

Regarding "roaming authenticators" it's getting murkier as caBLE support continues to mature. "Use security key" used to be all you needed to worry about to communicate use of a roaming authenticator, but now there's this whole angle of, "a platform authenticator usable as a roaming authenticator". Still not sure how to handle that in this transitional period but maybe it's not worth fretting over for now.

timcappalli commented 2 years ago

My suggestion would be "Continue with your device" as there is a visual hand off to the local OS.

arshadnoor commented 2 years ago

This is the sorry result of companies choosing to ignore educating businesses and consumers about "FIDO". As a consequence, we've ended up with:

IMO, companies who wish to save themselves time/money avoiding having to repeatedly explain the idiocy of marketing departments (who do not understand the reason for standardized names for complex technical concepts*) should stick to one of the following messages:

I would also encourage having a link on the site to educate consumers - at a high level - about what is going on; this site from the FIDO Alliance is helpful: https://loginwithfido.com.

Arshad Noor StrongKey

/* Imagine what the state of the internet might be today if companies had chosen to brand TCP/IP with names their marketing departments chose instead of what the RFC defined - a few of us might still have been programming with COBOL while the rest of us would have been pushing paper forms to feed that machine. /

On 3/19/22 10:45 AM, certainlyNotHeisenberg wrote:

(This is not an issue but a question for the community. Just not sure where else to ask it. Apologies if this is the wrong place!)

I'm using WebAuthn and unsure what language to use so the user understands what's happening. I'd love anyone's input!

Specifically, I'm using the user's email address as the display name and defaulting to platform authenticators. So, there are two steps, where step 1 is "Enter Your Email". But I'm unsure what to call step 2.

I started with "Complete Biometric", but the platform authenticator won't always be a biometric — sometimes it'll be a passcode, or pattern, or PIN, etc.

Then I tried the slightly more generic "Complete Biometric/Passcode Check", but that's a mouthful and still not totally accurate.

Then I tried to see if I could customize the language based on the platform (e.g. "Complete Face ID" on a certain iPhone, "Complete Touch ID" on a different iPhone, etc.), but there are issues with that:

  • There's no totally reliable way to know what platform the user is on.
  • Even if you know the platform, there are often several options at the device level for what the platform authenticator would be. (E.g. on an RCA Q2 phone I have, I can set in phone settings the authenticator to be a passcode, PIN, or pattern.)

Another issue with the generic "biometric" term is that it can sound somewhat scary. The term itself doesn't distinguish between a platform biometric like Face ID, which users find familiar, and a whole new biometric like a third party facial recognition system, which users often find quite invasive.

I suppose "Complete Platform Authenticator Check" is the most accurate... but I doubt many users would have any clue what that means.

So I'm at a loss for what language to use! Any ideas would be very welcome. :)

— Reply to this email directly, view it on GitHub https://github.com/w3c/webauthn/issues/1708, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABWSVTWGDYUVQFGYT4IPQ5TVAYHFFANCNFSM5REJTAQA. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you are subscribed to this thread.Message ID: @.***>

Firstyear commented 2 years ago

This is the sorry result of companies choosing to ignore educating businesses and consumers about "FIDO". As a consequence, we've ended up with: FIDO WebAuthn Windows Hello Passkey ... IMO, companies who wish to save themselves time/money avoiding having to repeatedly explain the idiocy of marketing departments (who do not understand the reason for standardized names for complex technical concepts)

I disagree. This is the result of this WG choosing to ignore accessibility and human interaction as part of our goal. Communication to users and how we chose our language is critical. As a result this standard is dense, overly technical, and confusing even for subject matter experts. How is the barrista at my cafe meant to understand "discoverable credential" or "resident key", or "direct vs none attestation". How can the users of the system we are creating be empowered, if they can't understand the soup of technical jibberish we keep throwing around?

By ignoring the deployment use cases and the experience of both RP's in deployments and the experience of the humans that use these devices, we have created this situation.

These marketing departments are not "idiotic" they are trying to create a human experience that is accessible to a diverse range of humans.

I would encourage you to rethink your choice of words and attitude, and to empathise with peoples who backgrounds are different from your own.

ghost commented 2 years ago

I just came across eBay's WebAuthn implementation, and they use this language:

Tired of passwords? Depending on your device, you can sign in with your fingerprint, face, or PIN

And then once you've signed in, they say:

Face/fingerprint/PIN sign in is on

I think this is reasonably clear (if a bit of a mouthful).

arshadnoor commented 2 years ago

I would encourage you to rethink your choice of words and attitude, and to empathise with peoples who backgrounds are different from your own.

Thank you for calling this out, @Firstyear. After 7 years of working on FIDO and exhorting FIDO Alliance members (long before this WG was formed at the W3C to standardize the API for FIDO protocols) to keep things simple and to focus on consumer education, it has been extremely frustrating to watch this train careening off its rails in slow-motion. But, that is no excuse for my rant. My sincere apologies to all the marketing people who were merely doing their jobs, and all others who were offended by my posting.

At this stage, I will acknowledge that the future of this standard appears to be fully within the control of the three trillion-dollar companies (and their acolytes) driving Level-3 of this specification. And, unless Ms. Lina Khan and Ms. Margrethe Vestager choose to understand the implications of what is going on and do something about it, there is little anyone else can do. I am unsubscribing from this list to avoid having to witness the inevitability of this train wreck.

Firstyear commented 2 years ago

Thanks for the apology @arshadnoor - I appreciate it. I do agree there are many problems in the approach currently taken by this wg, and that the lack of consideration to human's experiences is really problematic. I could have been more gentle in what I responded to you too.

cyberphone commented 2 years ago

@arshadnoor A specific problem with standards developments in contrast to traditional product development, is that the-standard-to-be may challenge members who already have related products on the market. This became particularly evident for the WebAuthn SPC extension, which neither has been compared to Apple Pay, nor to the nowadays almost ubiquitous proprietary mobile banking Apps. AFAICT, SPC is one of the most complex solutions on the market. In fact, SPC is so complex that small to medium sized merchants hardly have any alternative to outsourcing the payment part in its entirety.

MasterKale commented 2 years ago

We're closing this out to bring the discussion into the WACG at the next meeting.